Overview

Compliance – IT as an enabler!

When the TV news reports on IT, they often tell stories of failure. And it’s almost always about data. Data that has been stolen from companies’ servers – because they have not taken sufficient care to protect it. As early as 2011, the auditing and consulting firm KPMG found in a survey of the largest German companies that data protection and IT security were among the three most important compliance risks – right after corruption and bribery by employees. At the same time, countless legal requirements have been formulated in recent years that regulate all possible aspects of the use of IT systems – for example in the “Federal Data Protection Act” (BDSG) or with the “Principles for the proper keeping and storage of books, records and documents in electronic form and for data access (GoBD)”. IT compliance has therefore become a strategic issue for companies.

It is easy to lose sight of the fact that IT is not only the subject of compliance. IT often plays a key role in enabling compliance. This becomes particularly clear when dealing with documents. This is because rules apply to these – the main sources here are the German Fiscal Code (AO) and the German Commercial Code (HGB) – regardless of whether they are stored in analog form on paper or digitally on a server. However, many of these rules are much easier to comply with in the digital version than in the analog version.

Legible and unalterable during the retention period

A key aspect of this is the retention of documents. It must be possible to reproduce documents at any time for the duration of the legally defined period. In the event of a tax audit, for example, all incoming and outgoing invoices from the past ten years must be able to be presented. In principle, this is of course also possible if paper documents are filed in folders and archived in this way. This is still the predominant practice in most companies today. However, digital archiving – for example in the form of PDF documents – offers a number of advantages. First of all, this concerns the mere existence of the documents. Physical paper documents can be quickly destroyed by external factors such as fire or water. For this reason, copies are often made and stored separately. There is also a risk of digital documents being destroyed – for example, if the server on which they are stored is damaged or stolen. However, digital documents are much easier to store redundantly than paper-based documents.

However, documents must not only be available for the duration of the retention period, but must also be legible. External factors can also be problematic here. Invoices printed on thermal paper, for example, fade quickly. The quality of digital documents, on the other hand, does not suffer over time. Another regulatory requirement: documents must be unalterable. At first glance, the advantages here lie with paper. Changing the amount on a printed invoice requires considerably more skill than manipulating the total in a standard PDF document. However, the system with which the documents are organized can be designed in such a way that all actions are recorded via logging – and thus there is complete traceability. On the one hand, this is important in order to uncover illegal actions. On the other hand, logging also helps to prove the legally compliant creation of a document.

Access is precisely regulated

In addition, there are a whole series of downstream reasons that speak in favor of digital document storage from a compliance perspective. This concerns access to documents, for example. Access to a physical archive may only be permitted to certain employees in the company. However, access rights can then hardly be organized within the archive – anyone standing between the filing cabinets can look at both the annual financial statements and the payslips of all employees. With digital documents, on the other hand, access rights can be assigned precisely and for a limited period of time. Another point is findability. Finding a specific document in an archive with a large number of folders can take time. If documents are archived digitally, the required information is immediately available after a keyword or feature-based search.

Compliance requirements for the systems

The list of compliance benefits of digital documents could easily be extended. However, one thing is absolutely essential to ensure that these benefits are actually used: the system itself must meet certain compliance requirements. The GoBD regulates what these are. The digital association BITKOM has published a checklist [http://www.bitkom.org/Bitkom/Publikationen/GoBD-Checkliste-fuer-Dokumentenshymanagement-Systeme.html] in which the requirements are clearly summarized. These include

• Principle of traceability and verifiability (see GoBD chapter 3.1)
• Principles of truth, clarity and continuous recording (see GoBD chapter 3.2), with the individual topics
  • Completeness (see GoBD chapter 3.2.1),
  • accuracy (see GoBD chapter 3.2.2),
  • Timely bookings and records (see GoBD chapter 3.2.3),
  • order (see GoBD chapter 3.2.4) and
  • Immutability (see GoBD chapter 3.2.5).

Companies that organize their digital documents with a system that meets these requirements also meet the legal requirements that are generally placed on the handling of documents.